Protecting Browsers from Extension Vulnerabilities

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2010

Volumn , Issue , 2010, Pages

  Barth, Adam ^a   Felt, Adrienne Porter ^a   Saxena, Prateek ^a   Boodman, Aaron ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CHROME EXTENSIONS; EXTENSION SYSTEMS; FIREFOX; GOOGLE+; LEAST PRIVILEGE; SECURITY EXPERTS; WEB-SITES;

EID: 85166275153     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. Arbitrary code execution using bug 459906. https://bugzilla.mozilla.org/show_bug.cgi?id=460983.
2. JSON. http://www.json.org.
3. Mozilla Security Advisory 2009-19. http://www.mozilla.org/security/announce/2009/mfsa2009-19.html.
4. Mozilla Security Advisory 2009-39. http://www.mozilla.org/security/announce/2009/mfsa2009-39.html.
5. Skype. http://www.skype.com.
6. Zemanta. http://www.zemanta.com.
7. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In ACM Conference on Computer and Communications Security (CCS), November 2005.
8. L. Adamski. Security Severity Ratings. https://wiki.mozilla.org/Security_Severity_Ratings.
9. B. Adida, A. Barth, and C. Jackson. Rootkits for JavaScript Environments. In 3rd USENIX Workshop on Offensive Technologies, 2009.
10. A. Barth, C. Jackson, and W. Li. Attacks on JavaScript Mashup Communication. In Proceedings of the Web 2.0 Security and Privacy 2009.
11. A. Barth, C. Jackson, C. Reis, and The Google Chrome Team. The Security Architecture of the Chromium Browser. Technical report, Google, 2008.
12. A. Barth, J. Weinberger, and D. Song. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. In USENIX Security Symposium, 2009.
13. A. Boodman and E. Kay. Google Mail Checker. http://code.google.com/chrome/extensions/samples.html.
14. S. Crites, F. Hsu, and H. Chen. Omash: Enabling secure web mashups via object abstractions. In CCS’08: Proceedings of the 15th ACM conference on Computer and communications security, pages 99–108. ACM, 2008.
15. J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In USENIX Operating System Design and Implementation, 2008.
16. Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In Symposium on Operating System Design and Implementation (OSDI), 2006.
17. Google. Google Chrome Extensions: Most popular gallery. https://chrome.google.com/extensions/list/popular.
18. C. Grier, S. T. King, and D. S. Wallach. How I Learned to Stop Worrying and Love Plugins. In Web 2.0 Security and Privacy, 2009.
19. C. Grier, S. Tang, and S. T. King. Secure Web Browsing with the OP Web Browser. In IEEE Symposium on Security and Privacy, 2008.
20. I. Hickson. DOM Core Performance, Test 1. http://www.hixie.ch/tests/adhoc/perf/dom/artificial/core/001.html.
21. C. Jackson and A. Barth. Beware of finer-grained origins. In Web 2.0 Security and Privacy, 2008.
22. C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference (WWW), May 2006.
23. kkovash. How Many Firefox Users Customize Their Browser? Blog of Metrics, 2009.
24. R. S. Liverani and N. Freeman. Abusing Firefox Extensions. Defcon17, July 2009.
25. M. T. Louw, J. S. Lim, and V. N. Venkatakrishnan. Enhancing web browser security against malware extensions. In Journal in Computer Virology, August 2008.
26. Microsoft Developer Network. Introduction of the Protected Mode API. http://msdn.microsoft.com/en-us/library/ms537319(VS.85).aspx.
27. Mozilla Labs. Jetpack. https://wiki.mozilla.org/Labs/Jetpack.
28. D. Pupius. Fittr Flickr Extension for Chrome. http://code.google.com/p/fittr/.
29. A. Raskin. Jetpack FAQ. http://www.azarask.in/blog/post/jetpack-faq/, 2009.
30. M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the Reliability of Commodity Operating Systems. ACM Transactions on Computer Systems, 23(1):77–110, 2005.
31. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. In ACM Symposium on Operating Systems Principles (SOSP), 1994.
32. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In 21st ACM Symposium on Operating Systems Principles (SOSP), 2007.
33. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazell Web Browser. In USENIX Security Symposium, 2009.
34. S. Willison. Understanding the Greasemonkey vulnerability. http://simonwillison.net/2005/Jul/20/vulnerability/.
35. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009.
36. F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. SafeDrive: Safe and recoverable extensions using language-based techniquesXFI. In Symposium on Operating System Design and Implementation (OSDI), 2006.